If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

[SECURITY UPDATE] TeamSpeak 3 Client 3.0.18.1 is Available

We have just released a very important security update for the TeamSpeak 3 Client addressing a RFI (Remote File Inclusion) vulnerability. Please upgrade your desktop clients to version 3.0.18.1immediately. The update is available for Windows, Linux and OS X. Mobile clients for Android and iOS are not affected by this issue.

You can use the auto-update feature to grab this new release. If you need an installer, please refer to our Downloads page.

*** IMPORTANT ***
We strongly recommend that all server providers and admins change the minimum desktop client version for users required to connect to the server. Unfortunately, this will also prevent mobile clients to connect for now. We'll release updates to Google Play and the Apple App Store as soon as possible (see updates below).

If you don't want to (or can't) increase the minimum client version on your server, you can prevent users from exploiting this vulnerability by revoking the permissions to create channels with descriptions on your server.

Unfortunately, it does. Upcoming server versions will allow you to specify the minimum client version for Android and iOS separate from the desktop version.

Originally Posted by ahmedkoki

I am updating it now but why is it that important?

Well... previous client versions were affected by a vulnerability that allowed an attacker to download malicious files to your computer. So this is very serious. We strongly recommend that everyone updates their clients before the way to exploit this is publicly known.

My best guess is that this is an UAC issue because you did not start the installer in elevated mode or the TS3 Client is currently running (but I don't see that on your screenshot)... The installer itself seems to be OK since I am unable to reproduce this error on any of my systems.

Please note that you can also use the auto update feature by starting the TS3 Client and hitting Help -> Check for Update.

How can you be sure you were attacked, if you don't even know if the file has been executed?
I'm sure you mean, that you were affected by the vulnerability (as everyone) which may or may not have been exploited. Most likely not I suppose.

If I am mistaken, please provide more details.

@ScP / Staff: Was this vulnerability discovered by a TeamSpeak staff member or has it been disclosed by a user / found in the wild?

Well, because you don't have also recompiled and re-roled out the andorid/iphone versions which is your task to do it if the min_client_version affect also mobile devices, I can't change this number until they are also supported.

If such an attack will come then I must tell it to you because I can't exclued mobile devices because I need to connect to my TS3 - Servers if customers have problems and also customers are connecting over there own mobile phone.

At the point that you knowing this you already sjould have re-released the latest mobile version directly after the client release.

I must say that this is very bad support for this important security fix only because mobile versions are not affected by this vulnerability.

@ScP / Staff: Was this vulnerability discovered by a TeamSpeak staff member or has it been disclosed by a user / found in the wild?

The issue has been reported to our development team by a user.

Originally Posted by Chaos234

I must say that this is very bad support for this important security fix only because mobile versions are not affected by this vulnerability.

Can't understand this politics ...

What you might not know is that releasing an update to Google Play and the Apple App Store is not as simple as uploading a file to some FTP server. Every update is subject to a review process by Apple (and Google since earlier this year) so it takes some additional time to get those new releases out. Would you prefer us to hold back a critical security update until the mobile clients are approved?

In my posting I also explained what you can do as a server admin if you don't want (or can't) increase the minimum client version.

We're fully aware that this situation is not ideal and we sincerely apologize for any inconvenience caused, but the security and privacy of our user-base is one of the most important things to us.

How can you be sure you were attacked, if you don't even know if the file has been executed?
I'm sure you mean, that you were affected by the vulnerability (as everyone) which may or may not have been exploited. Most likely not I suppose.

If I am mistaken, please provide more details.

The attacker downloaded a file to my desktop. The attacker told it to me that it was done by this exploit.

The attacker downloaded a file to my desktop. The attacker told it to me that it was done by this exploit.

Now i must know if i must reformat my disk.

I wouldn't assume the worst case scenario just now... If you can provide details about the suspicious file we might be able to help. Can you upload that file somewhere (e.g. Dropbox) and send me a PM with the link?

Of course you can't be sure, but... if the file was empty (and visible on your desktop), I think someone was just trying to troll you by exploiting this vulnerability. If I were you, I'd just scan my computer for viruses for now and keep an eye out for anything suspicious. But I guess there's no need to wipe your disk just now.